I'm in the process of testing out two PAN-M-100's in the lab and more specifically testing the HA functionality at this point.
The issue that I am running into:
I have changed the Primary to Passive and the Secondary to Active, made a change to the Active/Secondary and then reverted the M-100's back to Active/Primary - Passive/Secondary. After doing this, instead of the Active/Primary pulling the latest config from the Passive/Secondary, it tries to overwrite the config with it's own. So in a nut shell, when we are failed over to our secondary M-100, all the changes we make will have to be redone on the Primary upon fail back.
Running version 5.1.3 (STIG compliance disallows us to upgrade, trust me I wish I could).
Could you please try below mentioned command before doing a failover.
admin@114-PANORAMA> request high-availability sync-to-remote
> candidate-config Sync candidate configuration to peer
> clock Sync the local time and date to the peer
> running-config Sync running configuration to peer
admin@114-PANORAMA> request high-availability sync-to-remote running-config
admin@114-PANORAMA> show jobs all --- just to ensure that sync job has been completed.
Then do a failover test and let us know the result.
Yeah, only the PEER will show the sync job. We have successfully performed the sync. Our next step is to unplug the primary M-100 from the switch (totally take it off the network) to cause the secondary to take over as Active/Passive on it's own. I will then make a config change on the Active/Secondary. Once that is complete, I am going to plug the Primary back into the switch...this should automatically make the Primary Active. The issue is that when we do this, the Primary wants to overwrite the config.
Ok, so when the Primary came back in line, as assumed it went straight into active mode. When you go to sync it overwrites the changes you made on the secondary. I was able to get the primary, once back online, to go into passive state and push the sync from the secondary, which worked! The issue is, after only a minute or two, the primary automatically reverts back to active. The M-100 is currently in preemptive mode, so I don't see why this is happening. These devices should successfully/correctly sync without me having to do all of this extra.
I actually just got done doing that and disconnected the primary from the switch. The secondary automatically switched to active (as expected) and I created another rule. Once the commit is done, I will plug the primary back into the network. Hopefully the primary stays as passive (since preemptive is turned off). I also hope that the sync process kicks off automatically.
So, once the primary was plugged back into the network, it automatically went into ACTIVE mode...how is this?? That tells me that there is absolutely NOTHING different between preemptive and non-preemptive.
What we are trying now is to leave preemptive off on the primary but turn it on the secondary and see what happens.
I've done all that...makes no difference. I have tried every kind of way imaginable and the outcome is always the same: The primary automatically switches back to active and the changes on the secondary don't sync with the primary. I have to manually push the sync from the cli of the secondary to properly sync them...I shouldn't have to do that.
The preemptive feature has to be activated on both devices to use it. If it's activated the device with the higher priority(lower number) becomes active/(primary). If it's not active the device with the longer uptime and lower MAC will be active. Can you post a screenshot of the HA configuration?
I understand all of that...the issue is, I want the "Secondary" to be able to send any new configs to the now, "Active/Primary" upon reinstatement. With the preemptive setting in place, upon reinstatement of the Primary device (making it Active), that device wants to sync it's config with the secondary...I don't want that! By this happening, I'm erasing any config changes that I made, on the secondary, while the primary was down.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!